[security] ReadHeaderTimeout not configured #821
Comments
duglin
pushed a commit
to duglin/sdk-go
that referenced
this issue
Dec 8, 2022
Closes cloudevents#821 Signed-off-by: Doug Davis <dug@microsoft.com>
duglin
pushed a commit
to duglin/sdk-go
that referenced
this issue
Dec 8, 2022
Closes cloudevents#821 Signed-off-by: Doug Davis <dug@microsoft.com>
duglin
pushed a commit
to duglin/sdk-go
that referenced
this issue
Dec 8, 2022
Closes cloudevents#821 Signed-off-by: Doug Davis <dug@microsoft.com>
duglin
pushed a commit
to duglin/sdk-go
that referenced
this issue
Dec 8, 2022
Closes cloudevents#821 Signed-off-by: Doug Davis <dug@microsoft.com>
duglin
pushed a commit
to duglin/sdk-go
that referenced
this issue
Dec 8, 2022
Closes cloudevents#821 Signed-off-by: Doug Davis <dug@microsoft.com>
duglin
pushed a commit
to duglin/sdk-go
that referenced
this issue
Dec 8, 2022
Closes cloudevents#821 Signed-off-by: Doug Davis <dug@microsoft.com>
duglin
pushed a commit
to duglin/sdk-go
that referenced
this issue
Dec 9, 2022
Closes cloudevents#821 Signed-off-by: Doug Davis <dug@microsoft.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
The http.server API in Go can be initialized with four different timeouts, including ReadHeaderTimeout. Without specifying a value for this timeout, the listener instance will become vulnerable to the Slowloris DoS attack.
code
Exploit Scenario
Attackers can exhaust server resources by opening multiple HTTP connections to the server, keeping the connections open, and slowly and continuously sending new HTTP header lines over the socket. This will eventually exhaust all open file handles.
Recommendations
Short term, specify appropriate timeout value for the ReadHeaderTimeout parameter. Long term, improve the code and SDK documentation to consider other means of handling
timeouts and preventing DoS attacks.
This was opened due to the Trail of Bits security review
The text was updated successfully, but these errors were encountered: